"A Trusted Framework for the Cross-boundary Flow of Personal Information within the Guangdong–Hong Kong–Macao Greater Bay Area" – Privacy Commissioner’s article contribution at Hong Kong Lawyer (Mar 2024)
To foster Hong Kong’s unique role as an international economic powerhouse and information hub and given the close integration of cities within the Guangdong–Hong Kong–Macao Greater Bay Area (“Greater Bay Area”), the Cyberspace Administration of China (“CAC”) and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region (“ITIB”) signed a Memorandum of Understanding on Facilitating Cross-boundary Data Flow Within the Guangdong–Hong Kong–Macao Greater Bay Area (“MoU”) on 29 June 2023 to jointly promote cross-boundary data flows in the Greater Bay Area.
Undoubtedly, the free flow of information is both fundamental and conducive to the long-term development and success of Hong Kong and the Greater Bay Area. Against this background and as a facilitation measure under the MoU for the cross-boundary flows of personal information within the Greater Bay Area, the CAC, ITIB, and my Office jointly formulated and published the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (“the GBA SC”) on 13 December 2023.
Scope of Application
The GBA SC applies to cross-boundary transfers of personal information between nine Mainland cities that are within the Greater Bay Area (including Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing of Guangdong Province) and Hong Kong. In other words, personal information processors and recipients who are registered (for organisations) or located (for individuals) in the Greater Bay Area may now readily carry out cross-boundary transfers of personal information between these nine Mainland cities within the Greater Bay Area (“the Mainland cities”) and Hong Kong by executing agreements that adopt the GBA SC in compliance with the requirements of the relevant laws and regulations of their respective jurisdictions, including, in particular, the Mainland’s Personal Information Protection Law (“the PIPL”) and the Personal Data (Privacy) Ordinance (Cap. 486) (“the Ordinance”) of Hong Kong.
Organisations and practitioners in Hong Kong are strongly advised to read the Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) promulgated by my Office to better acquaint themselves with the detailed requirements of the GBA SC.
Requirements under the Personal Data (Privacy) Ordinance (Cap. 486)
Data users in Hong Kong who wish to rely on the GBA SC when conducting cross-boundary flows of personal data from Hong Kong to the Mainland cities are reminded of their existing obligations, including the six Data Protection Principles (“DPPs”), under the Ordinance.
Notably, data users who wish to conduct cross-boundary data transfers to places outside Hong Kong should duly inform the data subjects that their personal data will be transferred to data recipients outside Hong Kong and specify the purposes for which the data are to be used (DPP1). Data users are also required to assess whether the transfer of personal data to a place outside Hong Kong under the GBA SC would constitute a new purpose. If so, they need to obtain the data subject’s prescribed consent (DPP3). If a data user engages a data processor to process personal data outside Hong Kong on its behalf, the data user must adopt contractual or other means to, among other things, prevent prolonged retention (DPP2(3)) and unauthorised or accidental access, processing, erasure, loss or use of the personal data transferred to the data processor (DPP4(2)).
Complying with the Personal Data Protection Regime in Hong Kong
For cross-boundary transfers of personal data from Hong Kong to the nine Mainland cities within the Greater Bay Area, the adoption of the GBA SC will serve to demonstrate that the data user has taken reasonable precautions and exercised due diligence to ensure that the relevant data will not be collected, held, processed or used in the Mainland in any manner that, if it took place in Hong Kong, would be a contravention of the Ordinance. We therefore encourage data users to adopt the GBA SC to effect the transfers. Data users are reminded that the GBA SC regime will not affect the operation of the Ordinance or my Office’s work in protecting personal data privacy and supervising compliance with the Ordinance in Hong Kong.
The GBA SC
The GBA SC contains eight parts and imposes obligations and responsibilities on both personal information processors (including data users) and the intended recipients of the data.
Data users and recipients should also take note of the requirements set out under the Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (“the Implementation Guidelines”) issued by the CAC and ITIB on 13 December 2023 regarding the implementation of the GBA SC.
Key Definitions
Under the GBA SC, a “personal information processor” in the Mainland is an organisation or individual that autonomously determines the purposes and means of processing the personal information. The term also covers a “data user” in Hong Kong who, in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data. A “personal information processor” is the party who transfers personal information across the boundary.
Similarly, while a “personal information subject” in the Mainland refers to a natural person who can be identified by or is associated with the personal information, the term covers a “data subject” in Hong Kong. In relation to personal data, this means the individual who is the subject of the data.
The definition of “personal information”, which is processed by personal information processors in the Mainland cities and by data users in Hong Kong, is determined in accordance with the PIPL and the Ordinance, respectively.
In short, the GBA SC is crafted to ensure that its application is in accordance with the laws and regulations of the respective jurisdiction of the personal information processor and the recipient, as appropriate.
Relaxation of requirements
As a facilitation measure, the GBA SC has relaxed some of the requirements set out in the Mainland’s Measures on the Standard Contract for Cross-border Transfers of Personal Information out of the Mainland[1]. For instance:
-
The restriction concerning the amount and sensitivity of the personal information that may be transferred across borders was removed under the GBA SC;
-
The parties to the GBA SC are not required to conduct relevant assessments of the personal information protection policies and regulations in the region where the recipient is located;
-
The scope of the personal information protection impact assessment to be conducted by personal information processors under the GBA SC is greatly reduced; and
-
There is no specific requirement regarding sensitive personal information or automated decision-making mechanisms under the GBA SC.
Additional requirements
To align with the relevant laws and regulations of the Mainland, the GBA SC also imposes additional contractual requirements upon the personal information processors and recipients relative to the requirements under the PDPO. For instance:
-
The personal information processor shall conduct a personal information protection impact assessment on the intended transfer (Article 2(8) of the GBA SC);
-
The parties shall adhere to the filing procedures of the GBA SC (Article 8(3) of the Implementation Guidelines); and
-
The recipient shall not provide the personal information received in accordance with the GBA SC to organisations or individuals outside the Greater Bay Area (Article 3(7) of the GBA SC).
Key Obligations and Responsibilities for Personal Information Processors
Article 2 of the GBA SC specifies the obligations and responsibilities of personal information processors (including data users), as follows:
-
Inform the personal information subjects (including data subjects) of the requisite information, such as the name and contact information of the recipient, the purposes and means of processing the personal information to be transferred across boundary, the intended transfer to a third party in the same jurisdiction as the recipient (if applicable), etc. (Article 2(2));
-
Obtain the consent of the personal information subjects prior to the cross-boundary transfer of personal information in accordance with the laws and regulations of the jurisdiction concerned (Article 2(3));
-
Inform the personal information subjects that they will be a third-party beneficiary as agreed by the personal information processor and the recipient under the GBA SC (Article 2(4)); and
-
Conduct a personal information protection impact assessment on the intended transfer, focusing in particular on the following matters, and retain the report for at least 3 years (Article 2(8)):
-
the legality, legitimacy and necessity of the purposes and means, etc., of processing personal information by the personal information processor and the recipient;
-
the impact on and security risks to the rights and interests of personal information subjects; and
-
whether the obligations undertaken by the recipient, as well as its management and technical measures, together with capabilities, etc. to perform such obligations, can ensure the security of personal information transferred across the boundary.
Key Obligations and Responsibilities for Recipients
Another noteworthy provision is Article 3 of the GBA SC. Article 3 states that recipients have the following obligations and responsibilities, including:
-
The recipient shall not provide the personal information received in accordance with the GBA SC to organisations or individuals outside the Greater Bay Area (Article 3(7)).
-
The recipient may only provide personal information to a third party in the same jurisdiction of the Mainland cities within the Greater Bay Area or in Hong Kong if all of the following conditions are met (Article 3(8)):
-
there is a business need for the transfer;
-
the personal information subject has been informed of the requisite information of the third party, the methods and procedures for exercising their rights as a personal information subject, etc.;
-
consent has been obtained in accordance with the applicable laws and regulations of the jurisdiction of the personal information processor (applicable if the processing of personal information is based on an individual’s consent); and
-
the personal information is provided to a third party in the same jurisdiction in accordance with the terms set out in the “Description of cross-boundary transfer of personal information” in Appendix I to the GBA SC.
3. If the recipient receives a request from a government department or judicial body of the jurisdiction where it is located to provide the personal information received under the GBA SC, it should immediately notify the personal information processor (Article 3(13)).
Other Notable Measures and Remarks
The personal information processor and the recipient should file their GBA SCs with the relevant authorities in their respective jurisdictions within 10 working days of their effective date(s). They should also be responsible for the authenticity of the materials filed. In Hong Kong, such filings should be made with the Office of the Government Chief Information Officer; the corresponding authority in the Mainland cities within the Greater Bay Area is the Guangdong Provincial Cyberspace Administration.
The GBA SC shall be entered into strictly in accordance with the Implementation Guidelines, and the intended transfer of personal information shall only be conducted after the GBA SC has come into effect. Personal information processors may agree on other terms with the recipient, but such terms shall not conflict with the GBA SC. The terms of the GBA SC shall prevail should there be any conflicts or inconsistencies between the GBA SC and any other legal documents executed by the parties.
Conclusion
The facilitation measure of GBA SC will streamline compliance with requirements for conducting cross-boundary flows of personal information within the Greater Bay Area, thereby promoting the development of Greater Bay Area’s digital economy and assisting Hong Kong in integrating into the Mainland’s national development. My Office is extremely grateful for the staunch support of the CAC in facilitating the cross-boundary flow of personal information within the Greater Bay Area.
The strategic importance of leveraging data to propel Hong Kong’s economic growth and strengthen our capacity to develop a digital economy cannot be understated. The GBA SC is a significant breakthrough under the “One Country, Two Systems” guiding principle to foster the development and success of Hong Kong and the Greater Bay Area and is in line with the Outline Development Plan for the Guangdong–Hong Kong–Macao Greater Bay Area.
[1] The
Measures on the Standard Contract for Cross-border Transfers of Personal Information came into operation in the Mainland on 1 June 2023. Personal information processors that satisfy the relevant conditions may rely on the execution of the standard contract to transfer personal information out of the Mainland.